#!/bin/bash
log-helper level eq trace && set -x

# This tool helps get certificates from json files
# like kubernetes secrets or traefik acme.json
# It takes its configuration from environment variable.
# See json-default-env file

PREFIX=$1
CERT_FILE=$2
KEY_FILE=$3
CA_FILE=$4

log-helper debug "jsonssl-helper is launched, everybody on the floor!"

if [ -z "${PREFIX}" ] || [ -z "${CERT_FILE}" ] || [ -z "${KEY_FILE}" ] || [ -z "${CA_FILE}" ]; then
    log-helper error "Usage: jsonssl-helper prefix cert_file key_file ca_file"
    exit 1
fi

if [ ! -e "${CERT_FILE}" ] && [ ! -e "${KEY_FILE}" ]; then
    
    # set env vars
    PREFIX=${PREFIX^^} # uppercase
    
    # search for prefixed env var first
    
    # set prefix variable name
    # example : PREFIX_JSONSSL_FILE='MARIADB_JSONSSL_FILE'
    PREFIX_JSONSSL_FILE=${PREFIX}_JSONSSL_FILE
    PREFIX_JSONSSL_HOSTNAME=${PREFIX}_JSONSSL_HOSTNAME
    
    PREFIX_JSONSSL_PROFILE=${PREFIX}_JSONSSL_PROFILE
    PREFIX_JSONSSL_GET_CA_CERT_CMD=${PREFIX}_JSONSSL_GET_CA_CERT_CMD
    PREFIX_JSONSSL_GET_CERT_CMD=${PREFIX}_JSONSSL_GET_CERT_CMD
    PREFIX_JSONSSL_GET_KEY_CMD=${PREFIX}_JSONSSL_GET_KEY_CMD
    
    # assign JSONSSL_FILE=${!PREFIX_JSONSSL_FILE} if value is not empty otherwise JSONSSL_FILE=JSONSSL_FILE
    JSONSSL_FILE=${!PREFIX_JSONSSL_FILE:-$JSONSSL_FILE}
    JSONSSL_HOSTNAME=${!PREFIX_JSONSSL_HOSTNAME:-$JSONSSL_HOSTNAME}
    
    JSONSSL_PROFILE=${!PREFIX_JSONSSL_PROFILE:-$JSONSSL_PROFILE}
    JSONSSL_GET_CA_CERT_CMD=${!PREFIX_JSONSSL_GET_CA_CERT_CMD:-$JSONSSL_GET_CA_CERT_CMD}
    JSONSSL_GET_CERT_CMD=${!PREFIX_JSONSSL_GET_CERT_CMD:-$JSONSSL_GET_CERT_CMD}
    JSONSSL_GET_KEY_CMD=${!PREFIX_JSONSSL_GET_KEY_CMD:-$JSONSSL_GET_KEY_CMD}
    
    source "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/jsonssl-default-env"
    
    if [ -z "${JSONSSL_FILE}" ]; then
        log-helper info "Variable JSONSSL_FILE is empty, set to default location:"
        log-helper info "JSONSSL_FILE=${JSONSSL_FILE_DEFAULT}"
        JSONSSL_FILE=${JSONSSL_FILE_DEFAULT}
    fi
    
    if [ ! -e "${JSONSSL_FILE}" ]; then
        log-helper error "JSONSSL_FILE file '${JSONSSL_FILE}' not found"
        exit 1
    fi
    
    # Json file profile, only traefik for now
    if [ "${JSONSSL_PROFILE,,}" = "traefik" ]; then
        # Let's Encrypt CA certificate is in cert file after the domain certificate.
        # So we took what's after the first cert.
        JSONSSL_GET_CA_CERT_CMD="awk '{if(found) print} /END CERTIFICATE/{found=1}' ${CERT_FILE}"
        
        JSONSSL_GET_CERT_CMD="cat ${JSONSSL_FILE} | jq -r '[.Certificates[]] | map(select(.Domain.Main == \"${JSONSSL_HOSTNAME}\")) | .[0].Certificate' | base64 -d"
        JSONSSL_GET_KEY_CMD="cat ${JSONSSL_FILE} | jq -r '[.Certificates[]] | map(select(.Domain.Main == \"${JSONSSL_HOSTNAME}\")) | .[0].Key' | base64 -d"
        elif [ "${JSONSSL_PROFILE,,}" = "traefik_up_to_v1_6" ]; then
        # Let's Encrypt CA certificate is in cert file after the domain certificate.
        # So we took what's after the first cert.
        JSONSSL_GET_CA_CERT_CMD="awk '{if(found) print} /END CERTIFICATE/{found=1}' ${CERT_FILE}"
        
        JSONSSL_GET_CERT_CMD="cat ${JSONSSL_FILE} | jq -r '[.[\"DomainsCertificate\"].Certs[].Certificate] | map(select(.Domain == \"${JSONSSL_HOSTNAME}\")) | .[0].Certificate' | base64 -d"
        JSONSSL_GET_KEY_CMD="cat ${JSONSSL_FILE} | jq -r '[.[\"DomainsCertificate\"].Certs[].Certificate] | map(select(.Domain == \"${JSONSSL_HOSTNAME}\")) | .[0].PrivateKey' | base64 -d"
    fi
    
    log-helper debug "Run JSONSSL_GET_CERT_CMD: ${JSONSSL_GET_CERT_CMD}"
    log-helper debug "put return in ${CERT_FILE}"
    eval "${JSONSSL_GET_CERT_CMD}" > "${CERT_FILE}"
    
    if [ ! -s "$CERT_FILE" ]; then
        log-helper error "Generated file '${CERT_FILE}' is empty"
        log-helper error "Set loglevel to debug for more information"
        exit 1
    fi
    
    log-helper debug "Run JSONSSL_GET_KEY_CMD: ${JSONSSL_GET_KEY_CMD}"
    log-helper debug "put return in ${KEY_FILE}"
    eval "$JSONSSL_GET_KEY_CMD" > "${KEY_FILE}"
    
    if [ ! -s "${KEY_FILE}" ]; then
        log-helper error "Generated file '${KEY_FILE}' is empty"
        log-helper error "Set loglevel to debug for more information"
        exit 1
    fi
    
    # if CA cert doesn't exist
    if [ ! -e "$CA_FILE" ]; then
        log-helper debug "Run JSONSSL_GET_CA_CERT_CMD: ${JSONSSL_GET_CA_CERT_CMD}"
        log-helper debug "put return in ${CA_FILE}"
        eval "$JSONSSL_GET_CA_CERT_CMD" > "${CA_FILE}"
        
        if [ ! -s "$CA_FILE" ]; then
            log-helper error "Generated file '${CA_FILE}' is empty"
            log-helper error "Set loglevel to debug for more information"
            exit 1
        fi
    fi
    
    log-helper debug "done :)"
    
    elif [ ! -e "${KEY_FILE}" ]; then
    log-helper error "Certificate file ${CERT_FILE} exists but not key file ${KEY_FILE}"
    exit 1
    elif [ ! -e "${CERT_FILE}" ]; then
    log-helper error "Key file ${KEY_FILE} exists but not certificate file ${CERT_FILE}"
    exit 1
else
    log-helper debug "Files ${CERT_FILE} and ${KEY_FILE} exists, fix files permissions"
    chmod 644 "${CERT_FILE}"
    chmod 600 "${KEY_FILE}"
fi
